What's in this file

Minimum Server Requirements:

• Windows 2003
  
  
• Exchange Server 2007
  
  
• 512 MB of Available Memory (1 GB recommended. Note: with each additional licensed scan engine, more memory is needed per scanning process.)
  
  
• 300 MB of Available Disk Space
  
  
• Intel Processor (1 GHz)
  
  

Minimum Workstation Requirements:

• Windows 2000 Professional or Windows 2003
  
  
• 6 MB of Available Memory
  
  
• 10 MB of Available Disk Space
  
  
• Intel Processor
  
  

The new General Option "Deliver from Quarantine Security" has been added to give administrators more flexibility for handling messages and attachments that are forwarded from Quarantine. The options for this setting are "Secure Mode" and "Compatibility Mode."

• Secure Mode is the default and when the value is set to this mode, all messages and attachments delivered from Quarantine will be re-scanned for viruses and filter matches.
  
  
• Compatibility Mode allows messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies these messages by placing a special "Tag" text in the subject line of all messages that are delivered from Quarantine.
  
  

A new install panel has also been added that will ask if you would like to run in "Secure Mode" or "Compatibility Mode." If you would like Forefront Security for Exchange Server to continue to allow messages and attachments to be delivered from Quarantine without being rescanned for filter matches, select "Compatibility Mode." If you would like messages and attachments to be rescanned, select "Secure Mode." This setting applies to the Realtime and Internet Scan Jobs.

To allow the subject line "Tag" text used when messages are delivered from quarantine to be customized, the new registry key "ForwardedAttachmentSubject" has been added that allows administrators to specify the Tag text to use. The subject line Tag text can be changed to a unique string for the organization or changed into a local language.

1. Upgrades from earlier releases are not supported.
   
   
2. The standard Forefront Security for Exchange Server license includes nine AV scan engines: Microsoft, Norman, Sophos, Command, Kaspersky, VBuster, AhnLab, and two from Computer Associates (Iris and Vet). After a fresh install, five random engines will be selected for scanning. The Forefront Server Security Administrator can be used to change the engine selection. A maximum of 5 engines can be selected per scan job.
   
   
3. After a fresh install, new signature files must be downloaded to ensure the most up to date protection. An hourly scanner update for each licensed engine will be scheduled. These updates will start 5 minutes after Forefront Security for Exchange Server services are started. However, if a proxy is being used for scanner updates, these scheduled updates will fail. Use the Forefront Server Security Administrator to enter the proxy information. Under “SETTINGS”, General Options, Scanner Updates, check the "Use Proxy Settings" checkbox. Enter the appropriate information into the Proxy Server Name/IP Address, Proxy Port, Proxy Username, and Proxy Password settings. Once this is done, use the 'Update Now' button to perform an immediate scanner update for each engine.
   
   

   Note:
   A successful update of at least one engine should occur before the installation is considered complete. Until all the licensed engines have been successfully downloaded, errors may appear in the ProgramLog.txt file. These errors include "ERROR: Could not create mapper object".

4. To verify the correct installation of Microsoft Forefront Security for Exchange Server with default protection enabled, Click "Operate" and "Run Job" in the left shuttle navigator panel, and verify the following:
   
   
   • On a server which contains a Mailbox Role, there should be a Realtime scan Job enabled, and a Manual Scan Job.
     
     
   • On a server which includes a Transport Role (such as a Hub, Gateway or a Mailbox/Hub server) there should be a Transport Scan Job enabled.
     
     
5. Microsoft Forefront Security for Exchange sets an optimization tag on Mailbox Servers to skip scan at the Store if mail is going to be sent to a Bridgehead Server. When using this configuration, Microsoft Forefront Security for Exchange must also be installed on Transport servers, otherwise outgoing mail will not be scanned
   
   
6. The Exchange 2007 Mailbox server role and Public Folder role have implemented a new default to limit On-Access scanning protection to items received within the last day. This setting is provided to minimize the performance impact of migrating to a new server. In the migration case, the majority of items in the information store will not have an AV stamp, and will all be scanned on access, which can cause high CPU utilization.
   
   This default setting can be changed in General Options, in the Scanning section. Look for the option "On-Access Scan Messages Received Within The Last" and change the value from the default 1 day to "Anytime". This will set Exchange 2007 to the same On-Access protection setting as Exchange 2003 and 2000.
   
   A recommended practice is to:
   
   
   • Leave the default value of "1 day" when a new server is being deployed,
     
     
   • Run a full background scan of the Store on messages received Anytime with the setting of "Scan Only Unscanned Messages."
     
     
   • Change the On-Access setting to "Anytime" for a steady state of protection.
     
     
7. Customers who wish to enable scheduled background scanning should perform the following steps:
   
   
   • Click "OPERATE" in the left navigation shuttle and then click on the "Schedule Job" icon. You should see the "Schedule Job" panel appear to the right.
     
     
   • The top portion of the Schedule Job panel shows the Background Scan Job and indicates if the Scheduler is enabled or disabled.
     
     
   • The bottom portion of the Schedule Job panel shows the scheduling information and configuration for the Background Scan Job.
     
     
   • To schedule a Background Scan, simply select the date, time, and frequency of your Scheduled Background Scan and press "save" and "enable" if the Scheduler is not already enabled.
     
     
   • Background Scanning now supports additional scoping options which determine which messages are scanned whenever a background scan is started. To modify these options, select “SETTINGS”, General Options in the left navigation shuttle and in the right panel (under “Background Scanning”) select the desired scan scoping options.
     
     
   • By Default, Realtime Mailbox server scanning does not include the scanning of message bodies. To include message body scanning, select “SETTINGS”, General Options in the left navigation shuttle and in the right panel (under “Scanning”) select the “Body Scanning – Realtime” option.
     
     
   • Verify that the Realtime Scan Job is enabled
     
     
8. The Forefront Server Security Administrator cannot be used to manage servers running versions earlier than release 10.0.
   
   
9. Microsoft Forefront Security for Exchange Server is not supported running on two-node active/active Exchange cluster configurations.
   
   
10. If the Sharepoint Portal Alert service is on the server and is running, an upgrade or uninstall of Microsoft Forefront Security for Exchange Server might require a reboot.
    
    
11. To enable the Forefront Server Security Administrator to run on Windows XP SP2, two steps need to be taken. First, run 'dcomcnfg'. Navigate to My Computer in Component Services, right click on My Computer and select properties; choose the COM security page. Under Access Permissions, click Edit limits and add remote access to the “Anonymous Logon” user. The second step is to allow the Forefront Server Security Administrator application. Run Control Panel, choose 'Security Center'. Enter the Windows Firewall admin and go to the Exceptions tab. Choose 'Add Program', select Forefront Server Security Administrator from the list and click OK. Now, check Forefront Server Security Administrator. Choose 'Add port'; Add '135' for the port number, with TCP checked, and any name. Click OK.
    
    If there is concern about opening port 135 to all computers, it can be opened for only the Forefront Server servers. When adding port 135, click 'Change Scope' and Select 'Custom List'. Type in the IP addresses of all Forefront Server servers you want to connect to.
    
    
12. When installing an AV solution using the VSAPI2, a registry key is created to save information concerning the VSAPI library. If this key is present when you attempt to install Microsoft Forefront Security for Exchange Server, the installation will fail. You will need to delete the key before attempting to reinstall Forefront Security for Exchange Server.
    
    The registry key you will need to delete is:
    
    

    HKEY_LOCAL_MACHINE->System->CurrentControlSet->Services-> MSExchangeIS->VirusScan

    Delete the entire VirusScan key.
    
    Additionally, VSAPI will not allow you to run multiple AV software solutions concurrently.
    
    
13. Forefront Security for Exchange Server is able to scan the first part of a multi-part RAR file. Any other part of a multi-part RAR will be treated as CorruptedCompressed, and be treated according to the "Delete Corrupted Compressed Files" setting.
    
    
14. To prevent Forefront from requiring a reboot during Upgrade or Uninstall, please shutdown the MOM agent (or any other monitoring software) and make sure that any command prompts or Explorer windows do not have the Forefront installation folder or any of the sub folders open. After Upgrade or Uninstall is complete the MOM agent should be started again.
    
    
15. Microsoft Forefront Security for Exchange Server does not support the ability for customers to use their own procedure to download engine updates from the Microsoft web sites. Forefront provides the ability for a server to be used as a redistribution server, but this server must use Forefront to get the updates from Microsoft.
    
    
16. Forefront Security for Exchange Server database path names (DatabasePath registry key) greater than 216 characters are not supported.
    
    
17. When installing Microsoft Forefront Security for Exchange Server, the length of the install path must be less than 170 characters.
    
    
18. UNC paths specified for engine updates must not end with a backslash ("\").
    
    
19. When Microsoft Forefront Security for Exchange Server is installed on an Edge Transport server that is not a member of a domain, the InternalAddress setting will be empty.
    
    
20. Notifications and Deliver from Quarantine functionality will not work if Microsoft Forefront Security for Exchange Server is installed on a Mailbox Only role and the server is a Domain Controller.
    
    
21. Importing filter lists from a UTF-8 formatted file is not supported.
    
    
22. It is recommended to have file filtering done by the Transport Scan job since Transport is able to retrieve mails from the Store before they are scanned by the Realtime Scan job. Since all mails must go through the Bridgehead role, the same filters would be applied to all messages.
    
    
23. Forefront will only install and run with the default setting of "Remote Signed" that Exchange places on the PowerShell execution policy. Changing it to a more restrictive policy such as "Restricted" or "AllSigned" is not supported by Forefront.
    
    
24. Keyword Filtering lists are not available for download from Microsoft in this release.
    
    
25. Single node management of Forefront Security for Exchange Server is available via the Forefront Server Security Administrator. Multi-server management of Forefront Server Security through the Microsoft Forefront Security Management Console is not available.
    
    
26. In order to provide a consistent User Experience in the Microsoft Forefront Server Security Administrator Client, the machines involved should be configured with uniform locale settings. Specifically, the System Locale settings of the machine where the server is being run should match the User Locale settings of the machine where the client is being run. If these two locales do not match, connection will not be allowed.
    
    
27. When installing Forefront Server Security for Exchange on a CCR cluster, the installation path must be the same for both nodes.
    
    
28. In General Options, the Internal Address setting is limited to 64KB characters.
    
    
29. When running Forefront Security for Exchange Server on a CCR cluster, the General Option "Redistribution Server" is checked by default after install, and must remain checked for proper engine replication.
    
    
30. When uninstalling Forefront Security for Exchange Server, Active Directory must be available for the uninstall to work correctly.
    
    

Build 10.0.0566 (Includes all features from Antigen 9.0.1055):

1. The default InternetProcessCount and RealtimeProcessCount values on fresh installs will be set to 4. The value will not be changed during upgrades. Note: Services will still need to be recycled for these values to take effect.
   
   
2. The behavior of the "Max Container File Infections" General Option has changed. If the option is set to '0', and a filter match occurs within the container, the entire container will be deleted.
   
   

Build 9.0.1055 (Includes all features from Antigen 8.0.1517):

1. For each scan engine, a secondary update path can be entered. If using the network update path to get an engine update fails for any reason, the secondary update path will be tried.
   
   
2. A new General Option has been added that gives the user the option to purge a message if any of the message body parts is deleted and there are no attachments.
   
   
3. The default InternetProcessCount and RealtimeProcessCount values on fresh installs will be set to 2. The value will not be changed during upgrades. In addition, two new General Options are exposed in the UI to allow the user to change these settings without editing the registry. Note: Services will still need to be recycled for these values to take effect.
   
   
4. Separate notifications are now available for Spam/RBL, keywords, and sender/subject filters. Keyword filter notifications are available for the sender and recipients as well as the administrator. A new Spam Administrator is available for the Spam/RBL filters. Content Filter notifications are available for the sender and recipients, as well as the administrator, and include Sender and Subject Line filter notifications.
   
   
5. Cluster support on Active/Passive clusters has been enhanced. Configuration data as well as scanner signature data are now associated with an Exchange Virtual Server. Registry data will be replicated on an Exchange Virtual Server basis.
   
   

Build 10.0.0566 (Includes all software fixes from Antigen 9.0.1055):

9.0.1055 (Includes all software fixes from Antigen 8.0.1517):

1. The FSCController Service is dependent on the NT Schedule service. The Schedule service must have the ability to start successfully for Microsoft Forefront Security for Exchange Server to initialize.
   
   
2. Attachments compressed with PKWARE's DCL-Implode are not scanned.
   
   
3. Attachments compressed with PKWARE's Deflate64(tm) are not scanned at this time.
   
   
4. During a Hot Upgrade, the user has the option to "Stop Waiting" if the upgrade is taking too long to process or if it has caused Forefront Security for Exchange Server to hang. If the "Stop Waiting" option is selected too soon after starting the process, there is a risk that Forefront Security for Exchange Server may be left in an off-line state. (Please allow 3-5 minutes before using the "Stop Waiting" option.) If this happens, the Exchange services may need to be recycled to restart Forefront Security for Exchange Server.
   
   
5. The "Perform Updates at Startup" General Option setting will be set to 'Off' after an upgrade. If this setting was previously set to 'On', use the Forefront Server Security Administrator to set this option back on after the upgrade.
   
   
6. If the Service Control Manager is open, an install or upgrade may fail with "Setup failed in SetupRegistry".
   
   
7. Installing Microsoft Forefront Security for Exchange Server in a folder that contains non-ASCII characters is not supported. Please choose a path that contains only characters from the following groups: letters (A-Z, a-z), numbers (0-9) or the symbols :\/!#$%'()+,-.;=@[]^_`{}~
   
   
8. Having multiple filter lists names that differ only by case will not work properly.
   
   
9. In the Forefront Security for Exchange Server Registry Keys section of the Forefront Security for Exchange User Guide, the registry key "MaxCompressedArchiveFileSize" should be "MaxCompressedArchivedFileSize".
   
   
10. In the Forefront Security for Exchange User Guide, a correction should be made in the Read-Only Administrator section. The default database location is Program Files\Microsoft Forefront Security\Exchange Server\Data.
    
    
11. The "Messages Scanned" Statistics counter will not increment for each message if Keyword Filtering is unchecked in the Forefront Server Security Administrator.
    
    

The documentation for this product is distributed in HTML format and is provided with this package. After installation, access help either from the Forefront Server Security Administrator interface or use the F1 key when running the Forefront Server Security Administrator.

Regularly updated lists of frequently asked questions are available on Microsoft's web site (http://go.microsoft.com/fwlink/?LinkID=78562):

Q: How can I restrict who can administer Microsoft Forefront Security for Exchange Server?

A: The Forefront Server Security Administrator uses DCOM to connect to the Forefront Security for Exchange Server component. DCOM settings for the 'FSCController' application are set to initially allow the Administrators group and SYSTEM full access. You can change the "Access" and "Launch" settings in DCOM to restrict access. You do this by launching the DCOMCNFG.EXE program and selecting FSCController from the Application tab. Once completed, you will need to restart the Exchange Services.

Q: When I uninstall Microsoft Forefront Security for Exchange Server, there seems to be a file left behind. Is that by design?

A: When uninstalling Microsoft Forefront Security for Exchange Server, the process will not remove the file IsUnist.EXE from the Windows (e.g. c:\windows) folder. It is possible for this file to be shared and used by other applications. If you determine that no other application is using this file, you may safely remove it from your system.

Provided below is the code for the EICAR Standard AntiVirus Test File.

To test your installation, copy the following line into its own text file and name it EICAR.COM.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 

When done, you will have a 69-byte or 70-byte file.

You can then attach this to an Exchange message for testing. Forefront Security for Exchange Server will report finding the EICAR-STANDARD-AV-TEST-FILE virus. If you have "cleaning" enabled, Forefront Security for Exchange Server will also report the attachment as being deleted. The infected attachment will be removed from the test message or post and be replaced with a text file. The new file will contain the following string when viewed: "Microsoft Forefront Security for Exchange Server found a virus and deleted this file."

It is important to know that THIS IS NOT A VIRUS. However, users often have the need to test that installations function correctly. The anti-virus industry, through the European Institute for Computer Antivirus Research, has adopted this standard to facilitate this need.

Please delete the file when installation testing is completed so that unsuspecting users are not unnecessarily alarmed.

Information in this document, including URL and other Internet Web site references, is subject to change without notice.  Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious.  No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.  Complying with all applicable copyright laws is the responsibility of the user.  Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document.  Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Windows, Forefront, Internet Explorer, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.